on 09-11-2009 9:01 PM
The following is the AssignUserstoADGroup pass:
dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$
changetype modify
+ uniquemember %DN%$rep.$NAME%%
I am assuming dn is the User dn and %DN%$rep.$NAME%% is the group DN.
In the ProvisionADUser task is called from the Workflow how is it supposed to work. What input attribute should be given.
Thanks
S.
Thanks fo all your replies. My MX_PROVISIONTASK was not properly linked. Once that was done it works.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey
This:
ToDSADirect.modEntry !ERROR:Entry does not exist
means that its not returning the DN of the group from the Privilege in the Identity Store. Its finding an invalid entry or value and thus the SQL in sap_getGroupDN is returning the error.
A couple of things spring to mind:
- It uses the audit table to determine the MSKey of the user being operated on. You can check the audit table to ensure that the user you are expecting is logged against the job. If not, its not going to work.
- It uses the repository name set for the job to determine the attribute to return. If you don't have a repository set through the task list somewhere (or directly on the job) , it won't work. Given the error you're getting, this is probably the problem. Its trying to retreive "DN<repname>" and coming back with attribute does not exist...
Confirm that the repository is set and that the privilege for the AD Group has an appropriate DN<repname> attribute...
Peter Wass
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Peter,
Thanks much for your time and reply.
The problem was I had changed the Task name (made a copy of PF task) and did not change the MX_PROVISIONTASK to reflect the name change. After I set this correctly it works.
I still have a couple of issues, and maybe they are because I am calling the ProvisionAD task from the workflow. I am not sure.
Issues:
1. I am not able to assign multiple groups - only the first on gets assigned
2. I still see the error I mentioned in my initial post in the log files and the job itself seems to run multiple times (I suspect this is because the MX_PROVISIONTASK runs it once and then me calling the ProvisionAD task runs it again).
Any input please. How should all this work. The SAP PF has all these system specific task, are they not supposed to be called individually. And if not how should the process work.
Any inputs and/or direction please.
Thanks
Shabna
Shabna
The SAP PF treats AD groups as privileges. As such, they should be assigned by the privilege assignment, not through user provisioning - you can do it but the SAP PF isn't set up that way. This is why its designed to do one at a time. You have to assign users to groups in AD, not groups to users.
If I can remember the script correction (don't have it in front of me)
It:
- gets the audit entry of the current job
- selects the aValue from MXIV_SENTRIES where attribute = audit entry attribute, mskey= userid and checksum = audit entry checksum
- It gets the current repository from the job
- The aValue is then the privilege mskey which is used to retrieve the group DN%rep.Name% from the group-privilege using getValue
So
- the audit entry which started the job must reflect the assignment of the privilege
- the repository must be correct
If either of those are incorrect then it won't retrieve the group properly.
I'm quite sure dn is the Group-DN while %DN%$rep.$name%% is the user-DN.
If you look at your AD with an LDAP-browser you can see that your groups have member-attributes which store the user-DNs
The PovisionADSUser-Task is supposed to be a sub-task of ProvisionADS. Normally you don't "call" it separately.
Sorry, but I don't really understand your problem or what you intend to do... please clarify.
BR
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Michael Thanks for you time
I am using ProvisionADUser Task (Not ProvisionAD because the only difference is the exchange user setup and I dont want it right now).
The AssignUserToADSGroup sub task fails with the following error:
____________________________________________________________________________
05.01.2010 11:42:20 :I:initPass ToDSADirect: AssignUserToADSGroup
05.01.2010 11:42:20 :X:Common attribute ReconnectSize, value '' could not be resolved to integer, assuming 500
05.01.2010 11:42:21 :X:SELECT * FROM MXPROV_ENTRIES WHERE MXP_ACTIONID=? AND MXP_REPOSITORY=?
05.01.2010 11:42:21 :I:AuditId: 998283
05.01.2010 11:42:21 :E:No valid userid found to get group dn
05.01.2010 11:42:21 :I:PrivMSKey:
05.01.2010 11:42:21 :W:PrivDN: !ERROR:Entry does not exist
05.01.2010 11:42:21 :E:Failed storing !ERROR:Entry does not exist
05.01.2010 11:42:21 :E:Exception from Mod operation:ToDSADirect.modEntry !ERROR:Entry does not exist failed with NamingException. (LDAP error: The distinguished name has an invalid syntax)
Explanation: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of: '!ERROR:Entry does not exist' ]
Remaining name: !ERROR:Entry does not exist
Resolved name: javax.naming.InvalidNameException: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of:
'!ERROR:Entry does not exist' ]; remaining name '!ERROR:Entry does not exist'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2923)
___________________________________________________________________________________
The ToLDAP pass looks like below:
dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$
changetype modify
+member %DN%$rep.$NAME%%
I am a little confused as to how this works. When I give the attributes in the userinterface for the task like firstname , lastname etc, I am assuming I give MXREF_MX_PRIVILEGE for the group to which it should be assigned. Is this correct. If not how do I input which group should be assigned for the new user.
Thanks for all your help.
Thanks
Shabna
I'm sorry but I can't help you here.
If you don't need the ProvisionExchange-Task why don't you simply leave that away/disable it in the original SAP-PF instead of rebuilding it with your custom tasks?
I too think it's quite hard to understand what the SAP PF does in which stage, because you have to understand all the scripts and how they work together.
Can someone Help me with this Please.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.